Declarative Edge Kubernetes: Immutable Clusters with Talos + Zarf
Brandt Keller, Defense Unicorns & Merijn Keppel, TrueFullstaq
Tuesday March 24, 2026, 17:00 - 17:30
Hall 8 | Room D
More info
The Zarf way: solving air-gapped Kubernetes bootstrapping
What happens when your cluster lives where the internet doesn't? This March at KubeCon Europe in Amsterdam, Merijn Keppel from TrueFullstaq and Brandt Keller from Defense Unicorns will demonstrate the answer live on stage. No simulations, no slides about how it could work. Just a complete Kubernetes cluster bootstrapped from bare metal with zero connectivity.
Because air-gapped environments, restricted networks, and disconnected edge sites all share the same brutal truth: your beautiful GitOps pipeline means nothing if you can't pull an image.
The fundamental problem
Running Kubernetes without internet access creates an immediate dilemma. You need a container registry to pull images. But to run that registry, you need to pull the registry image itself. Welcome to the bootstrapping problem of air-gapped clusters.
GitOps pipelines, CI/CD workflows, and Helm deployments all assume your cluster can access external registries like Docker Hub, Quay, or GCR. But what if your cluster runs on an offshore wind farm? In a government data center? On a military installation? In a factory where OT networks are strictly segregated?
Then "no internet" means exactly that. Not temporarily slow, not occasionally offline, but permanently disconnected. And your entire deployment strategy stops working.
Zarf's solution: clever use of ConfigMaps
Zarf solves the connectivity problem by packaging everything into a single deployable artifact. Images, manifests, charts, the lot. It doesn't care about your network topology.
The engineering trick: Zarf splits the registry:3 image into 512KB chunks. Why exactly that size? Because Kubernetes ConfigMaps have a 1MB limit (technically determined by etcd configuration, but 1MB is the default). A compressed registry image is roughly 18MB, resulting in about 35 ConfigMaps that together contain the complete registry image.
But how do you reassemble those chunks into a working registry image? You don't have a reliable image in the cluster that can do that for you. That's why Zarf injects a statically compiled Rust binary (the zarf-injector) alongside the image chunks. This binary runs in an ephemeral pod (based on an image already in the cluster) and does three things:
- Reassembles the registry image chunks
- Hosts a temporary, pull-only Docker registry written in Rust
- Enables deploying the real registry from that temporary registry
No workarounds, no compromises.
It's just a working registry, fully disconnected from bare metal.
Mutating webhooks: automatic image redirects
Once the registry is running, the second part of the solution kicks in: the zarf-agent. This is a Kubernetes Mutating Webhook that intercepts resources before they enter the cluster and automatically adapts them for the air-gapped environment.
When a pod is created, the webhook does two things:
- Rewrites the image path to the internal Zarf registry (for example, docker.io/nginx:latest becomes 127.0.0.1:31999/nginx:latest-zarf-3892838293)
- Automatically injects the appropriate ImagePullSecrets
This works not just for simple pod deployments, but also for Flux GitRepository resources, ArgoCD applications, and Helm charts. You don't need to modify your manifests, because Zarf ensures everything points to the local registry.
Exactly where your GitOps tooling expects images to be available, without having to write templating logic yourself.
Why this matters
This approach makes modern cloud-native capabilities accessible to environments that normally wouldn't have access. Defense, energy, telecom, healthcare: sectors where digital sovereignty and data residency aren't optional, but hard requirements.
You can develop while connected, using all the tooling and workflows you're used to. Then deploy without sending a single byte over the internet. Same declarative configuration, same immutable infrastructure patterns, just without the connectivity dependency.
See it in action at KubeCon Europe 2026
Merijn Keppel will demonstrate exactly this during KubeCon Europe in Amsterdam. Together with Brandt Keller from Defense Unicorns, he'll show how to bootstrap a complete Talos Kubernetes cluster from bare metal, fully disconnected, and then perform an on-stage cluster upgrade using a Zarf package.
Talos Linux strips Kubernetes down to its essence. No SSH, no shell, no drift. Just a declarative API that treats your entire OS as cattle, not pets. Combined with Zarf's packaging approach, you get immutable clusters that work reliably at the edge.
Let's meet at KubeCon Europe 2026
Tutorial: Your Application, Batteries Included: Packaging for Deterministic, Secure, and Portable Delivery
Brandt Keller & Austin Abro, Defense Unicorns; William Crum, Spectro Cloud; Merijn Keppel, TrueFullstaq; Jessica Keppel-Drost, Isala
Thursday, March 26, 202,6 13:45 - 15:00
Elicium 1
More info
